Dreamhost hijacking my prefix...
andree+nanog at toonk.nl
Fri Jan 11 16:46:57 UTC 2013
Here's a quick summary of what we saw at BGPMon.net.
At 2013-01-11 14:14:13 we saw announcements (seemingly) originated by
26347, for prefixes normally announced by other ASn's (origin change /
This seems to have affected 112 prefixes for 110 ASn's , including
Rogers, Tata, Sprint, Ziggo, Verizon, KPN, Vodafone, CloudFlare, XS4ALL,
AT&T, Bell Canada and many more.
Most of these were new more specific(!) announcements.
With regards to next-hop ASN's (peers). It seems this hijack was
propagated via 12 unique (AS26347) peers 
A quick look at the prefix that was mentioned by Jeff, 18.104.22.168/20
(more specific of 22.214.171.124/18)
The first announcement for this prefix was seen at 2013-01-11 14:14:28
and withdrawn at 2013-01-11 15:20:57. It was detected by 42 unique peers.
some example paths:
271 6939 26347
37312 5713 6939 26347
1126 24785 12989 26347
 I've posted some details (Unique next-hop ASN's and affected origin
ASN's), check if your AS was affected here:
.-- My secret spy satellite informs me that at 2013-01-11 7:23 AM Jeff
> Not sure how widespread their "leakage" may be, but Dreamhost just
> hijacked one of my prefixes...
>> Possible Prefix Hijack (Code: 10)
>> Your prefix: 126.96.36.199/18:
>> Update time: 2013-01-11 14:14 (UTC)
>> Detected by #peers: 11
>> Detected prefix: 188.8.131.52/20
>> Announced by: AS26347 (DREAMHOST-AS - New Dream Network, LLC)
>> Upstream AS: AS42861 (PRIME-LINE-AS JSC "Prime-Line")
>> ASpath: 8331 42861 42861 42861 26347
> Anyone have a contact there? ASinfo gives netops at dreamhost.com where I
> have submitted a report, but so far no joy...
More information about the NANOG